Changes between Initial Version and Version 1 of UGS-2008-001

06/09/08 18:03:46 (12 years ago)

Add announcement for user certs impacted by debian SSL issue.


  • UGS-2008-001

    v1 v1  
     1= UABgrid Security Issue 2008-001 = 
     3== PROBLEM == 
     5Due to a recent security vulnerability with the specific OpenSSL software packages for the Debian Linux platform, we had to revoke your existing UABgrid user certificate. 
     7== SOLUTION == 
     9To generate a new user certificate for use with UABgrid resources please go to the following URL and request a new certificate: 
     13You can then download the key (userkey.pem) and certificate (usercert.pem) to your appropriate ~/.globus directory from the Certificate Management Control Panel: 
     17== DETAILS == 
     19The nature of this vulnerability has to do with the generation of random numbers used to create your public/private key pair.  On the affected systems, the OpenSSL libraries erroneously create guessable random number.  This significantly simplifies the ability to guess your public/private key pair.   
     21Because the runs on a Debian system and generates the public/private key pair for UABgrid user certs, the user certificates generated on this platform while the vulnerability was in place are not sufficiently unique. 
     23The greatest impact of this threat is for *unsigned* public/private key pairs, like those used for key-based SSH logins.  The predictability of these key pairs gives an attacker a small number of well-known keys to cycle through in order to gain SSH access to an account that has been configured to allow key-based logins.  For example, if you created a public/private key pair on an affected Debian system and then used that key pair to allow remote access to hosts via the $HOME/.ssh/authorized_keys file. 
     25We *do not* suspect a potential to exploit this issue to gain access to UABgrid systems because the Grid Security Infrastructure (GSI) uses *signed* public/private key pairs, ie. certificates.  These systems do not rely on the "authorized_keys" file for trust.  They rely on the UABgrid Certificate Authority's root certificate which was not generated on a affected Debian system.  Furthermore, this properly generated key pair is used to sign the user certificate. This means that, while your personal public/private key pair could be guessed, your certificate (ie. the key pair signed by the UABgrid CA) could not be impersonate. 
     27The certificates were revoked as a precautionary measure and to ensure that any other use of these key pairs is not compromised. 
     29For futher information and to track issues related to this vulnerability, please visit: